How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV)

Article:TECH97449  |  Created: 2009-01-16  |  Updated: 2013-08-07  |  Article URL http://www.symantec.com/docs/TECH97449
Article Type
Technical Solution


Environment

Issue



You have files that have been quarantined on a local computer, and have been directed to manually submit them via the online submission form rather than from within the interface.

Note:
This document only covers submitting files from clients, not from a Quarantine server.


Solution



To gather files to submit

  1. Navigate to the Quarantine folder.  The path will be differnt with different version and operating systems.  Here are some examples:

    SEP:
    Windows XP:
    <OS drive>\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine

    Windows 7:
    <OS drive>\ProgramData\Symantec\Symantec Endpoint Protection\12.1.xxx.xxxx.xxx\Data\Quarantine

    SAV:
    <OS drive>\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine
     
  2. The .VBN files at the root of the quarantine folder, are logs and do not contain the quarantined item. However, for each .VBN file in the Quarantine folder there should be another folder with the same name as the .VBN file. You will need to navigate to this folder

    Example:
    If there is a file named ABCD1234.VBN in the Quarantine folder, there should also be a folder named ABCD1234 in the Quarantine folder. This folder contains a different ABCD1234.VBN file, that actually contains the sample. If in doubt when comparing .VBN  files with the same name, always send the larger file.
     
  3. In this folder are the .VBN files that need to be submitted. Copy the desired .VBN file to the desktop for easy access. Do not zip or rar .VBN files that are to be submitted.
     
  4. Open a web browser and visit the appropriate URL as provided by support.
    Upload the file(s) as directed by the web page.

    Note:
    There may be multiple .VBN files located in the Quarantine file.
    These files are encrypted but if they are opened in a text editor (such as notepad.exe) the orginal file name can be read at the top.

    If there are multiple .VBN files present and you're unsure of which file(s) to submit, we recommend that you open the SEP/SAV interface, access Quarantine and remove everything except for the file(s) you want to submit. Do not zip or rar .VBN files that are to be submitted. Instead create a new submission for each .VBN file.

    These files are encrypted by Symantec in such a way that we can decrypt them for inspection. While they do potentially contain an infection, due to the proprietary encryption used, there is no danger of infection from these specific files while moving them.

For information on how to submit a suspected False Positive to Symantec, please read: Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe




Legacy ID



2009111605450248


Article URL http://www.symantec.com/docs/TECH97449


Terms of use for this information are found in Legal Notices